Suppressing Content in Recordings

Depending on the type of sensitive information your users enter on your site, you may want Hotjar to not collect data from certain fields and elements. When doing so, Hotjar does not collect the data and instead sends an asterisk "***" or 1s "111" for each character.

Note

We suppress fields/text/images before sending the data back to our servers. There is no way to retrieve the suppressed content used once a Recording has been made.

Suppressing input fields in Recordings

You can suppress all fields on your site by disabling the setting Record visitor keystroke data on this site which can be found by clicking on the edit pencil button next to your site in Sites & Organizations. This setting is site-specific.

Supressing Specific Elements in Recordings

You can suppress individual elements, input fields, regular text and images, by making a small modification to your site code, adding an attribute data-hj-suppress to the elements you wish to suppress.

Image Suppression

We replace suppressed images with the pattern below, matching the size of the original image.

Verifying Hotjar is properly suppressing input fields

Since Hotjar suppresses elements client-side rather than server-side for added privacy & security, you can verify this yourself. Below are the steps to confirm this.

Note

Make sure your Recordings are turned on.

Open a new Google Chrome tab/window with the console panel open

You will need to make sure it is open on the Network tab. At Hotjar we use the Chrome developer tools because it is easier to see this type of data.

Go to a URL on your site where Recordings are enabled.

At least one field needs to be suppressed so you can confirm Hotjar is not sending the keystroke data.

In the Network tab, click on these items - funnel/filter icon > ws.

If Hotjar is recording you, there should be a websocket called ws. This is the websocket we use to stream the data from the visitor's browser to our servers. This includes in it every keystroke, click, page mutation, etc. Click on ws > Frames.

Steps to see data the Hotjar script sends through the websocket to our servers

Once done, a new frame should appear in the right panel in green, however, it is visually seen as a different row.

Copy the content of that frame

Paste it into a notepad

This way you will be able to see the full content of the frame. In it you should see something like this:

Extract from a websocket frame, showing that asterisk symbols are being sent rather than the actual user input.

The image above means that Hotjar tracked keystrokes on the #name field and asterisk symbols were sent to our servers rather than the actual user input as the field is being suppressed. You should see the same thing for your suppressed fields.

Note

We offer automatic on-page text suppression for all email addresses and numbers. You can learn more in our Suppressing On-Page Text article.